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Abstract 

Many semantical aspects of programming languages, 
such as their operational semantics and their type assign- 
ment calculi, are specified by describing appropriate proof 
systems. Recent research has identified two proof-theoretic 
features that allow direct, logic-based reasoning about such 
descriptions: the treatment of atomic judgments as fixed 
points (recursive definitions) and an encoding of binding 
constructs via generic judgments. However, the logics en- 
compassing these two features have thus far treated them 
orthogonally: that is, they do not provide the ability to de- 
fine object-logic properties that themselves depend on an 
intrinsic treatment of binding. We propose a new and sim- 
ple integration of these features within an intuitionistic logic 
enhanced with induction over natural numbers and we show 
that the resulting logic is consistent. The pivotal benefit 
of the integration is that it allows recursive definitions to 
not just encode simple, traditional forms of atomic judg- 
ments but also to capture generic properties pertaining to 
such judgments. The usefulness of this logic is illustrated 
by showing how it can provide elegant treatments of object- 
logic contexts that appear in proofs involving typing calculi 
and of arbitrarily cascading substitutions that play a role in 
reducibility arguments. 

Keywords: generic judgments, higher-order abstract syn- 
tax, proof search, reasoning about operational semantics 

1. Introduction 

An important approach to specifying and reasoning 
about computations involves proof theory and proof search. 
We discuss below three kinds of judgments about computa- 
tional systems that one might want to capture and the proof 
theoretic techniques that have been used to capture them. 
We divide this discussion into two parts: the first part deals 
with judgments over algebraic terms and the second with 
judgments over terms-with-binders. We then exploit this 
overview to describe the new features of the logic we are 
presenting in this paper. 



1.1. Judgments involving algebraic terms 



We overview features of proof theory that support recur- 
sive definitions about first-order (algebraic) terms and, us- 
ing CCS as an example, we illustrate the judgments about 
computations that can be encoded through such definitions. 

(1) Logic programming, may behavior Logic program- 
ming languages allow for a natural specification and ani- 
mation of operational semantics and typing judgments: this 
observation goes back to at least the Centaur project and 
its animation of Typol specifications using Prolog [5 |. For 
example, Horn clauses provide a simple and immediate en- 
coding of CCS labeled transition systems and unification 
and backtracking provide a means for exploring what is 
reachable from a given process. Traditional logic program- 
ming is, however, limited to may behavior judgments: us- 
ing it, we cannot prove that a given CCS process P cannot 
make a transition and, since this negative property is logi- 
cally equivalent to proving that P is bisimilar to (the null 
process), such systems cannot capture bisimulation. 

(2) Model checking, must behavior Proof theoretic 
techniques for must behaviors (such as bisimulation and 
many model checking problems) have been developed in 
the early 1990's H5J and further extended later lTT3Tl . 
Since these techniques work by unfolding computations un- 
til termination, they are applicable to recursive definitions 
that are noetherian. As an example, bisimulation for finite 
CCS can be given an immediate and declarative specifica- 
tion fPTl . 

(3) Theorem proving, infinite behavior Reasoning 
about all members of a domain or about possibly infinite 
executions requires induction and coinduction. Incorporat- 
ing induction in proof theory goes back to Gentzen. The 
work in lfT31 l23l [33ll provides induction and coinduction 
rules associated with the above-mentioned recursive defi- 
nitions. In such a setting, one can prove, for example, that 
(strong) bisimulation in CCS is a congruence. 



1.2. Judgments involving bindings 

The proof theoretic treatment of binding in terms has 
echoed the three stages of development described above. 
We switch from CCS to the 7r-calculus to illustrate the dif- 
ferent kinds of judgments that these support. 

(1) Logic programming, A-tree syntax Higher-order 
generalizations of logic programming, such as higher-order 
hereditary Harrop formulas ||2TI and the dependently typed 
LF J5], adequately capture may behavior for terms contain- 
ing bindings. In particular, the presence of hypothetical 
and universal judgments supports the A-tree syntax [20] ap- 
proach to higher-order abstract syntax |26J. The logic pro- 
gramming languages AProlog 1241 and Twelf |27ll support 
such syntax representations and provide simple specifica- 
tion of, for example, reachability in the 7r-calculus. 

(2) Model checking, V-quantiflcation While the no- 
tions of universal quantification and generic judgment are 
often conflated, a satisfactory treatment of must behavior re- 
quires splitting apart these concepts. The V-quantifier [22 1 
was introduced to encode generic judgments directly. To il- 
lustrate the issues here, consider the formula Vw.^(Xx.x — 
Xx.w). If we think of A-terms as denoting abstracted syntax 
(terms modulo a-conversion), this formula should be prov- 
able (variable capture is not allowed in logically sound sub- 
stitution). If we think of A-terms as describing functions, 
then the equation Xy.t — Xy.s is equivalent to Vy.t = s. 
But then our example formula is equivalent to Vw.^/x.x = 
w, which should not be provable since it is not true in a 
model with a single element domain. To think of A-terms 
syntactically instead, we treat Xy.t = Xy.s as equivalent 
to Vy.t = s. In this case, our example formula is equiva- 
lent to Vw.-iVx.x — w, which is provable ll22ll . Using this 
quantifier, the 7r-calculus process (yx).\x = w].wx can be 
encoded such that it is provably bisimilar to 0. Bedwyr Q 
is a model checker that treats such generic judgments. 

(3) Theorem proving, LG" When there is only finite 
behavior, logics for recursive definitions do not need the 
cut or initial rules, and, consequently, they do not need 
to answer the question "When are two generic judgments 
equal?" On the other hand, induction and coinduction do 
need an answer to this question: e.g., when doing induction 
over natural numbers, one must be able to recognize that the 
case for i + 1 has been reduced to the case for i. The LG" 
proof system ll34l provides a natural setting for answering 
this question. Using LG U encodings, one can prove that 
(open) bisimulation is a 7r-calculus congruence. 

1.3. Allowing definitions of generic judgments 

In the developments discussed above, recursive defini- 
tions are permitted only for atomic judgments. In many 



syntax analysis problems, binding constructs are treated by 
building up a local context that attributes properties to the 
objects they bind. In reasoning about such analyses, it is of- 
ten necessary to be able to associate relevant generic proper- 
ties with atomic judgments. For example, a typical type as- 
signment calculus for A-terms treats abstractions by adding 
assumptions about the type of the bound variables to the 
context of the typing judgment. To model such a context, 
we might use a predicate cntx that encodes the assignment 
of types to abstracted variables. Thus, an atomic judgment 
of the form cntx [(xi,ti), . . . , (x n , t n )] would denote the 
assignment of types ti, . . . , t n to the variables x±, . . . ,x n 
and can be used as a hypothesis in the course of determin- 
ing the type of a term. Now, certain "generic" properties 
hold implicitly of the contexts that are constructed: for ex- 
ample, these assign types only to bound variables and have 
at most one assignment for each of them. Such properties 
are not actually used in encoding the rules for type infer- 
ence but they do have to be made explicit if we want to 
prove properties, such as the determinacy of type assign- 
ment, about the calculus that is encoded. Recursive defi- 
nitions provide a means for formalizing properties that are 
needed in these kinds of reasoning tasks. Unfortunately, 
these definitions are not strong enough in their present form 
to allow for the convenient statement of generic properties 
ranging over atomic judgments. 

These issues surrounding the specification of contexts 
are actually endemic to reasoning about many different 
kinds of specifications that utilize A-tree syntax. We pro- 
vide an elegant treatment of it here by extending recursive 
definitions to apply not only to atomic but also to generic 
judgments. Using this device, we will, for instance, be able 
to define a property of the form 

Vxi • • • Vx n . cntx [{xi,ti), . . . , {x n ,t n )]. 

By stating the property in this way, we ensure that cntx as- 
signs types only to variables and at most one to each. Now, 
this property can be used in an inductive proof, provided it 
can be verified that the contexts that are built up during type 
analysis recursively satisfy the definition. We present rules 
that support this style of argument. 

1.4. An outline of the paper 

Section [2] describes the logic Q that allows for the ex- 
tended form of definitions and Section[3]establishes its con- 
sistency. The extension has significant consequences for 
writing and reasoning about logical specifications. We pro- 
vide a hint of this through a few examples in Section |4l as 
discussed later, many other applications such as solutions 
to the POPLmark challenge problems |2], cut-elimination 
for sequent calculi, and an encoding of Tait's logical re- 
lations based proof of normalization for the simply typed 
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A-calculus [ 32 1 have been successfully developed using the 
Abella system that implements Q. We conclude the paper 
with a comparison to related work and an indication of fu- 
ture directions. 

2. A logic with generalized definitions 

The logic Q is obtained by extending an intuitionistic and 
predicative subset of Church's Simple Theory of Types with 
fixed point definitions, natural number induction, and a new 
quantifier for encoding generic judgments. Its main com- 
ponents are elaborated in the subsections below. It is pos- 
sible to develop a classical variant of Q as well: we do not 
follow that path but just comment that moving from intu- 
itionistic to classical logic can have interesting impacts on 
specifications. For example, the intuitionistic reading of the 
specification of bisimulation for the 7r-calculus yields open 
bisimulation while the classical reading of the same speci- 
fication yields late bisimulation [36]. 

2.1. The basic syntax 

Following Church (6), terms are constructed using ab- 
straction and application from constants and (bound) vari- 
ables. All terms are typed using a monomorphic typing 
system; these types also constrain the set of well-formed 
expressions in the expected way. The provability relation 
concerns well-formed terms of the distinguished type o that 
are also called formulas. Logic is introduced by including 
special constants representing the propositional connectives 
T, J_, A, V, D and, for every type r that does not contain o, 
the constants V T and 3 T of type (r — > 6) — > o. The binary 
propositional connectives are written as usual in infix form 
and the expressions \/ T x.B and 3 T x.B abbreviate the for- 
mulas V T Ax.B and 3 T Xx.B, respectively. Type subscripts 
will be omitted from quantified formulas when they can be 
inferred from the context or are not important to the discus- 
sion. We also use a shorthand for iterated quantification: if 
Q is a quantifier, the expression Qxi, . . . , x n -P will abbre- 
viate Qxi. . . Qx n .P. 

The usual inference rules for the universal quantifier 
can be seen as equating it to the conjunction of all of its 
instances: that is, this quantifier is treated extensionally. 
There are a number of situations [22| where one wishes to 
have a generic treatment of a statement like "B(x) holds for 
all x": in these situations, the form of the argument is im- 
portant and not the argument's behavior on all its possible 
instances. To encode such generic judgments, we use the 
V-quantifier (nabla) [22 J. Syntactically, this quantifier cor- 
responds to including a constant V r of type (r — » o) — » o 
for each type r (not containing o). As with the other quan- 
tifiers, \7 T x.B abbreviates V T \x.B and the type subscripts 
are often suppressed for readability. 



2.2. Generic judgments and V-quantiflcation 

Sequents in intuitionistic logic are usually written as 

S:5 1 ,...,B n hB (n>0) 

where E is the "global signature" for the sequent: in partic- 
ular, it contains the eigenvariables of the sequent proof. We 
shall think of E in this prefix position as being a binding 
operator for each variable it contains. The FOX AV logic 
ll22l introduced "local signatures" for each formula in the 
sequent: that is, sequents are written instead as 

E : ai > Bi, . . . , a n > B n h er > B , 

where each a , . . . , a n is a list of variables that are bound 
locally in the formula adjacent to it. Such local signa- 
tures within proofs reflect bindings in formulas using the 
V-quantifier: in particular, the judgment and formula 

xx, ■ ■ ■ , x n > B and Wxx ■ ■ ■ Wx n .B (n > 0) 

have the same proof-theoretic force. 

The FOX AV logic ll22l (and its partial implementation 
in the Bedwyr logic programming/model checking system 
0) eschewed atomic formulas for explicit fixed point (re- 
cursive) definitions, along with inference rules to unfold 
them. In such a system, both the cut-rule and the initial rule 
can be eliminated and checking the equality of two generic 
judgments is not necessary. As we have already mentioned, 
when one is proving more ambitious theorems involving in- 
duction and coinduction, equality of generic judgments be- 
comes important. 

2.3. LG W and structural rules for V-quantiflcation 

There are two equations for V that we seem forced to 
include when we consider proofs by induction. In a sense, 
these equations play the role of structural rules for the lo- 
cal, generic context. Written at the level of formulas, they 
are the V '-exchange rule VxVy.F = VyVx.F and the V- 
strengthening rule Vx.F = F, provided x is not free in F. 
The LG" proof system of Tiu ED is essentially FOX AV 
extended with these two structural rules for V. 

The move from the weaker FOX AV to the stronger LG^ 
logic has at least two important additional consequences. 

First, the strengthening rule implies that every type at 
which one is willing to use V-quantification is not only non- 
empty but contains an unbounded number of members. For 
example, the formulas 3 T x.T is always provable, even if 
there are no closed terms of type r because this formula is 
equivalent to \7 T y3 T x.T which is provable, as will be clear 
from the proof system given in Figure [T] Similarly, for any 
given n > 1, the following formula is provable 

3xi...3x„[ f\ Xi^Xj]. 
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E;r,BhB' E:r,AhC E : T, £? h C 

^ ^rmTTTTT- 1 ^ V£ v . "n L_ p \ / p _ Vft,ie{l,2} 



E:r,lh(7 E:r,BVBhC EiThB^Ba 



E : T h T E : F, B x A B 2 h C ' 1 ' J EiThBAC 

E:ThB E:r,DhC E:r,BhC 

E : IVB 5 D h C D£ E:ThBDC DlZ 

E,K,Cht:r E : r,S[f/xl h C E,/i : T h B[/i c7sl 

E:r,V T ,BhC V£ E:ThvU ™> * * E ' SUPP ^ = & 

E : T, Bfo/x] h C , E : T h B\a/x] , , 

eTT^Fc v£ ' a * supp(B) e : r h vx-s ™' a * supp(B) 

E,h:T,B\hc/x}\- C T,,]C,C\-t:T E:Th Sfi/sl 

E:r,^Vc 3C > h * S ' SUPP ^ = " E:rh3 T .,B ^ 

Figure 1. The core rules of £ 



Second, the validity of the strengthening and exchange 
rules mean that all local contexts can be made equal. As a 
result, the local binding can now be considered as an (im- 
plicit) global binder. In such a setting, the collection of 
globally V-bound variables can be replaced with nominal 
constants. Of course, in light of the exchange rule, we must 
consider atomic judgments as being identical if they differ 
by only permutations of such constants. 

We shall follow the LG U approach to treating V. Thus, 
for every type we assume an infinite collection of nominal 
constants. The collection of all nominal constants is de- 
noted by C; these constants are to be distinguished from the 
collection of usual, non-nominal constants that we denote 
by /C. We define the support of a term (or formula), writ- 
ten supp(t), as the set of nominal constants appearing in it. 
A permutation of nominal constants is a bijection tt from 
C to C such that {a; | tt(x) ^ x} is finite and tt preserves 
types. Permutations will be extended to terms (and formu- 
las), written n.t, as follows: 

TT.a = 7r(a), if a £ C tt.c = c, if c ^ C is atomic 
Tr.(Ax.M) = Xx.{tt.M) n.(M N) = (ir.M) (tt.JV) 

The core fragment of Q is presented in Figure Q] Se- 
quents in this logic have the form E : Y h C where Y is a 
multiset and the signature E contains all the free variables 
of r and C. In the V£ and VIZ rules, a denotes a nominal 
constant of an appropriate type. In the 3£ and VR rule we 
use raising j l9j to encode the dependency of the quantified 
variable on the support of B; the expression (h c) used in 
these two rules denotes the (curried) application of h to the 
constants appearing in the sequence c. The MC and 31Z rules 
make use of judgments of the form S, K, C h t : r. These 
judgments enforce the requirement that the expression t in- 



stantiating the quantifier in the rule is a well-formed term 
of type r constructed from the variables in E and the con- 
stants in K, U C. Notice that in contrast the VIZ and 3C rules 
seem to allow for a dependency on only a restricted set of 
nominal constants. However, this asymmetry is not signifi- 
cant: the dependency expressed through raising in the latter 
rules can be extended to any number of nominal constants 
that are not in the relevant support set without affecting the 
provability of sequents. 

2.4. Recursive definitions 

The structure of definitions in Q is, in a sense, its distin- 
guishing characteristic. To motivate their form and also to 
understand their expressiveness, we consider first the defi- 
nitions that are permitted in LG U . In that setting, a defini- 
tional clause has the form Mx.H = B where H is an atomic 
formula all of whose free variables are contained in x and 
B is an arbitrary formula all of whose free variables must 
also be free in H. In a clause of this sort, H is called the 
head and B is called the body and a (possibly infinite) col- 
lection of clauses constitutes a definition. Now, there are 
two properties of such definitional clauses that should be 
noted. First, H and B are restricted to not contain occur- 
rences of nominal constants. Second, the interpretation of 
such a clause permits the variables in x to be instantiated 
with terms containing any nominal constant; intuitively, the 
quantificational structure at the head of the definition has 
a VV form, with the (implicit) V quantification being over 
arbitrary sequences of nominal constants. These two prop- 
erties actually limit the power of definitions: (subparts of) 
terms satisfying the relations they identify cannot be forced 
to be nominal constants and, similarly, specific (sub)terms 
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cannot be stipulated to be independent of such constants. 

These shortcomings are addressed in Q by allowing defi- 
nitional clauses to take the form Vx. (Vz.H) = B where all 
the free variables in Wz.H must appear in x and all the free 
variables in B must also be free in Vz.H. The intended in- 
terpretation of the V quantification over H is that particular 
terms appearing in the relation being defined must be identi- 
fied as nominal constants although specific names may still 
not be assigned to these constants. Moreover, the location 
of this quantifier changes the prefix over the head from a 
VV form to the more general VVV form. Concretely, the 
explicit V quantification over z forces the instantiations for 
the externally V quantified variables x to be independent of 
the nominal constants used for z. 

One illustration of the definitions permitted in Q is pro- 
vided by the following clause: 

(Vn.name n) = T. 

An atomic predicate name N would satisfy this clause pro- 
vided that it can be matched with its head. For this to be 
possible, N must be a nominal constant. Thus, name is a 
predicate that recognizes such constants. As another exam- 
ple, consider the clause 

VE.(\7x. fresh xE) = T. 

In this case the atomic formula fresh N T will satisfy the 
clause just in case N is a nominal constant and T is a term 
that does not contain this constant (the impossibility of vari- 
able capture ensures this constraint). Thus, this clause ex- 
presses the property of a name being "fresh" to a given term. 
Further illustrations of the new form of definitions and their 
use in reasoning tasks are considered in Section[4] 

Definitions impact the logical system through introduc- 
tion rules for atomic judgments. Formalizing these rules 
involves the use of substitutions. A substitution is a 
type-preserving mapping (whose application is written in 
postfix notation) from variables to terms, such that the set 
{x | x9 7^ x) is finite. Although a substitution is extended 
to a mapping from terms to terms, formulas to formulas, etc, 
when we refer to its domain and range, we mean these sets 
for this most basic function. A substitution is extended to a 
function from terms to terms in the usual fashion. If T is a 
multiset of formulas then TO is the multiset { JO \ J e T}. If 
£ is a signature then £6* is the signature that results from re- 
moving from £ the variables in the domain of and adding 
the variables that are free in the range of 0. 

To support the desired interpretation of a definitional 
clause, when matching the head of Mx.(Vz.H) = B with an 
atomic judgment, we must permit the instantiations for x to 
contain the nominal constants appearing in that judgment. 
Likewise, we must consider instantiations for the eigenvari- 
ables appearing in the judgment that possibly contain the 
nominal constants chosen for z. Both possibilities can be 



{T/6 : (tt.B')O, T'O F CO] £' : V F (ir.B')O 

— defC ^ = , , defR 



£ : A,T F C 



£ : T F A 



Figure 2. Rules for definitions 

realized via raising. Given a clause Vxi, . . . , x n .(Vz.H) = 
B, we define a version of it raised over the sequence of 
nominal constants a and away from a signature E as 

Vh.(\/z.H[hi a/xi, . . . ,h n a/x n ]) — 

B[hi a/xi, . . . , h n a/x n ], 

where hi, ■ . ■ , h n are distinct variables of suitable type that 
do not appear in E. Given the sequent E : T F C and a 
sequence of nominal constants c none of which appear in 
the support of T or C, let a be any substitution of the form 

{h' c/h | h G E and h! is a variable of 
suitable type that is not in £}. 

Then the sequent Ecr : Ta F Ccr constitutes a version of 
E : r F C raised over c. 

The introduction rules based on definitions are presented 
in Figure[2] The defC rule has a set of premises that is gen- 
erated by considering each definitional clause of the form 
\/x.(\7z.H) = B in the following fashion. Assuming that 
z = z% , . . . , z n , let c = ci , . . . , c„ be a sequence of dis- 
tinct nominal constants none of which appear in the support 
of T, A or C and let £' : A',T' F C denote a version of 
the lower sequent raised over c. Further, let H' and B' be 
obtained by taking the head and body of a version of the 
clause being considered raised over a listing a of the con- 
stants in the support of A and away from £' and applying 
the substitution [ci/ z%, . . . , c n /z n ] to them. Then the set of 
premises arising from this clause are obtained by consider- 
ing all permutations tt of ac and all substitutions such that 
(ir.H')O = A'O, with the proviso that the range of may 
not contain any nominal constants. 

The defR. rule has exactly one premise that is obtained 
by using any one definitional clause. The formulas B' and 
H 1 are generated from this clause as in the defC case, but 
7r is now taken to be any one permutation of ac and is 
taken to be any one substitution such that (tt.H')O = A', 
again with the proviso that the range of may not contain 
any nominal constants. 

In summary, the definition rules are based on raising the 
sequent over the nominal constants picked for the V vari- 
ables from the definition, raising the definition over nomi- 
nal constants from the sequent, and then unifying the cho- 
sen atomic judgment and the head of the definition under 
various permutations of the nominal constants. As it is 
stated, the set of premises in the defC rule arising from any 
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hlz xilxhl(sx) Y,:T,INhC 
E : T,natN h C 

E : T h flat iV 



flat£ 



E : T h flat z 



natR 



E : T h flat (s TV) 



flatft 



Figure 3. Rules for natural number induction 

one definitional clause is potentially infinite because of the 
need to consider every unifying substitution. It is possible 
to restrict these substitutions instead to the members of a 
complete set of unifiers. In the situations where there is a 
single most general unifier, as is the case when we are deal- 
ing with the higher-order pattern fragment lfl8l . the number 
of premises arising from each definition clause is bounded 
by the number of permutations. In practice, this number can 
be quite small as illustrated in Section|4] 

Two restrictions must be placed on definitional clauses 
to ensure consistency of the logic. The first is that no nomi- 
nal constants may appear in such a clause; this requirement 
also enforces an equivariance property for definitions. The 
second is that such clauses must be stratified so as to guar- 
antee the existence of fixed points. To do this we associate 
with each predicate p a natural number lvl(p), the level of 
p. The notion is generalized to formulas as follows. 

Definition 1. Given a formula B, its level lvl(i?) is defined 
as follows: 

1. lvl(p t) = lvl(p) 

2. lvl(_L) = lvl(T) = 

3. lvl(B A C) = hr\{B V C) = max(lvl(B), lvl(C)) 

4. lvl(B D G) = max(lvl( J B) + 1, fvl(C)) 

5. lvl(Vx.-B) = lvl(Vx.S) = lvl(3;r.B) = lvl(-B) 

For every definitional clause Vx.(Vz.H) = B, we re- 
quire lvl(_B) < lvl(_ff). This stratification condition en- 
sures that a definition cannot depend negatively on itself. 
More precise stratification conditions which allow such de- 
pendency in a controlled fashion are possible, but we choose 
this condition for simplicity. See lfl5l [341 for a description 
of why these properties lead to consistency. 

2.5. Induction over natural numbers 

The final component of Q is an encoding of natural num- 
bers and rules for carrying out induction over these num- 
bers. This form of induction is useful in reasoning about 
specifications of computations because it allows us to in- 
duct on the height of object-logic proof trees that encode the 



lengths of computations. Specifically, we introduce the type 
nt and corresponding constructors z : nt and s : nt — » nt. 
Use of induction is controlled by the distinguished predi- 
cate nat : nt — » o. The rules for this predicate are presented 
in Figure [3] The rule natC is actually a rule schema, pa- 
rameterized by the induction invariant /. Providing induc- 
tion over only natural numbers is mostly a matter of conve- 
nience in studying the meta-theory of Q. Extending induc- 
tion to other algebraic datatypes ll23l [33 1 should have little 
impact on the meta-theory of Q, although it would clearly 
be a useful extension for any system implementing Q (such 
as Abella Q). 

3. Cut-elimination and consistency for Q 

The consistency of Q is an immediate consequence of 
the cut-elimination result for this logic. Cut-elimination is 
proved for LG" IT351 by a generalization of the approach 
used for FOX AJN EJ that is itself based on a technique in- 
troduced by Tait [32| and refined by Martin-L6f [12]. The 
main aspect of this generalization is recognizing and uti- 
lizing the fact that certain transformations of sequents pre- 
serve provability and also do not increase (minimum) proof 
height. The particular transformations that are considered 
in the case of LG U have to do with weakening of hypothe- 
ses, permutations of nominal constants, and substitutions 
for eigenvariables. We can use this framework to show that 
cut can be eliminated from Q by adding one more transfor- 
mation to this collection. This transformation pertains to the 
raising of sequents that is needed in the introduction rules 
based on the extended form of definitional clauses. We mo- 
tivate this transformation by sketching the structure of the 
argument as it concerns the use of such clauses below. 

The critical part of the cut-elimination argument is the 
reduction of what are called the essential cases of the use 
of the cut rule, i.e., the situations where the last rule in the 
derivation is a cut and the last rules in the derivations of its 
premises introduce the cut formula. Now, the only rules of 
Q that are different from those of LG^ are defC and defJZ. 
Thus, we have to consider a different argument only when 
these rules are the last ones used in the premise derivations 
in an essential case of a cut. In this case, the overall deriva- 
tion has the form 



£' : r' h (ir.B')t 
E : T h A 



defJZ 



TT p '' r 



E"p:(7v'.B")p,A"phC"p 



S : r, A h c* 

P,TT ,S 



S: A, Ah C 



defC 



cut 



where TIi and represent derivations of the relevant 

sequents. Let E' : T' h A' be the raised version of E : T h 
A and let H ' and B 1 be the head and body of the version of 
the definitional clause raised over supp(A) and away from 
E' used in the defJZ rule. From the definition of this rule, 
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we know that 8 is substitution such that (n.H')9 = A'. Let 
8' be the restriction of 8 to the free variables of H 1 . Clearly 
(ir.H')e = (ir.H')d' and (ir.B')d = (-K.B')d'. Further, 
since the free variables of H' are distinct from the variables 
in £', 8' has no effect on E', A', C, or A'. Thus, it must be 
the case that (n.H')8' = A'8'. From this it follows that 

£' : {-k.B')6', A' I- C 

is included in the set of derivations above the lower sequent 
of the defC rule. We can therefore reduce the cut in question 
to the following: 

£' : r h {-K.By £' : (n.B')8\ A' h C" 
E' : T', A' h C" 

The proof of cut-elimination for LG" is based on induction 
over the height of the right premise in a cut, therefore this 
cut can be further reduced and eliminated. The essential 
properties we need to complete the proof at this point are 
that £' : V, A' h C is provable if and only if E : Y, A h C 
is provable, and that both proofs have the same height in this 
case. We formalize these in the lemma below. 

Definition 2 (Proof height). The height of a derivation IL 
denoted by ht (IL), is 1 if U has no premise derivations and 
is the least upper bound of {ht(YLi) + l};ex ifU has the 
premise derivations {UjJ-jgz where X is some index set. 

Lemma 3 (Raising). Let E : Y h C be a sequent, let cbe a 
list of nominal constants not in the support ofY or C, and 
let E' : r' h C be a version of E : Y h C raised over 
a Then E : Y h C /jcw a proof of height h if and only if 
£' : r' h C" /las a proof of height h. 

With this lemma in place, the following theorem and its 
corollary follow. 

Theorem 4. The cut rule can be eliminated from Q without 
affecting the provability relation. 

Corollary 5. The logic Q is consistent, i.e., it is not the case 
that both A and iDi are provable. 

Cut-elimination is also useful in designing theorem 
provers and its counterpart, cut-admissibility, allows one to 
reason richly about the properties of such proof procedures. 

4. Examples 

We will often suppress the outermost universal quanti- 
fiers in displayed definitions and will assume that capital 
letters denote implicitly universally quantified variables. 



member B L = Bn.nat n A element^ B L 
element B (B :: L) = T 
element^ n) B (C :: L) — element^ B L 

Figure 4. List membership 

Freshness In Section [2] we showed how the property of 
freshness could be defined in Q by the definitional clause 

\/E.{Vx.tresh xE)=T. 

This clause ensures that the atomic judgment (fresh X E) 
holds if and only if X is a nominal constant which does not 
appear anywhere in the term E. To see the simplicity and 
directness of this definition, consider how we might define 
freshness in a system like LG^ which allows for definitions 
only of atomic judgments. In this situation, we will have to 
verify that X is a nominal constant by ruling out the possi- 
bility that it is a term of one of the other permitted forms. 
Then, checking that X does not appear in E will require an 
explicit walking over the structure of E. In short, such a 
definition would have to have the specific structure of terms 
coded into it and would also use (a mild form of) negative 
judgments. 

To illustrate how the definition in Q can be used in a rea- 
soning task, consider proving the following lemma 

Vie, e, £. (fresh x I A member e £) D fresh x e 

where member is defined in Figure|4] This lemma is useful 
in constructing arguments such as type uniqueness where 
one must know that a list does not contain a typing judgment 
for a particular variable. The proof of this lemma proceeds 
by induction on the natural number n quantified in the body 
of member. The base case and the inductive step eventually 
require showing the following: 

Wx, b, I. fresh x (b :: t) D fresh x b 
Vx, b, t. fresh x (b :: I) D fresh x i 

We shall consider the proof of only the first statement; the 
proof of the second has a similar structure. 

The first statement follows if we can prove the sequent 

x, b, £ : fresh x (b :: £) h fresh x b. 

Consider how defC acts on the hypothesis (fresh x (b :: £)) 
in this sequent. First the clause for fresh is raised over the 
support of the hypothesis, but this is empty so raising has no 
effect. Second, the sequent is raised over some new nominal 
constant c corresponding to the V in the head of the defini- 
tion for fresh. The last step is to consider all permutations 
7r of the set {c} and all solutions 8 of 

(n.fresh c e)8 = (fresh (x' c) ((b' c) :: (£' c)))8. 
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seq N L (A) = member A L 
se< J(« n) L (B A C) — sec lN L B A seq N L C 
se%s n) L{AdB)^ seq N {A :: L) B 
seq^ s N j L (VB) = \7x.seq N L (B x) 
seq^ s N s L (A) = 3b. prog Ab A seq N L b 

Figure 5. Second-order hereditary Harrop 
logic in Q 



There is, in fact, a most general unifier here: 

6= [x' -► (Xx.x),b' -> (Ax.6"), 
f ^(Xx.£"),e^(b" ::£")]. 

The resulting sequent is 

b"J" : ThfresJicfo" 

The next step in this proof is to apply defJZ to the con- 
clusion. To do this we first raise the clause for fresh over 
the support of the conclusion which is {c}. Then we raise 
the sequent over a new nominal constant d correspond- 
ing to the V in the head of the definition. Finally we 
need to find a permutation it of {c, c'} and a solution 8 to 
(ir.fresh c' (e' c))9 = fresh c (b'" c'). Here we find the 
permutation which swaps c and d and the solution 8 which 
unifies e' and b'". The resulting sequent is then 

b'",t'" : ThT 

which is trivially provable. 

Typing contexts We now illustrate an approach to ani- 
mating and reasoning about the static and dynamic seman- 
tics of programming languages. The first step in this ap- 
proach is that of encoding these two kinds of semantics us- 
ing the (second-order fragment of the) logic of hereditary 
Harrop formulas. Specifications provided through these 
formulas have a natural executable interpretation based on 
the logic programming paradigm IF2TI . The interesting part 
from the perspective of this paper is that we can encode 
provability of this subset of hereditary Harrop formulas as 
a definition in Q. This definition, then, becomes the bridge 
for reasoning about the (executable) specifications. 

To develop these ideas in more detail, we encode prov- 
ability in the second-order hereditary Harrop logic as a 
three-place definition (seq N L G) where L denotes the 
context of hypothetical (assumed) atomic formulas and G 
denotes the goal formula |T6l [221 . The argument N cor- 
responds to the height of the proof tree and is used for in- 
ductive arguments; we write this argument as a subscript to 



\/m,n,t,u[of m (arr u t) A of n u D of (app m n) t] 
Vr, t, u\\/x[of x t D of (r x) u] D of (abs t r) {arr t u)\ 

Figure 6. Simple typing of A-terms 

downplay its significance. The definition of seq is presented 
in Figure|5] The constructor (•) is used to inject atomic for- 
mulas into formulas; as such, it serves as a device for isolat- 
ing atomic formulas. The object level universal quantifier 
is reflected into a meta level generic {i.e., V) quantifier in 
the definition of seq; this treatment turns out to capture the 
computational semantics of the universal quantifier rather 
precisely. Backchaining is realized by the last clause of seq. 
In giving meaning to this clause, we expect that the spec- 
ification of interest in a particular situation (i.e., the logic 
program that we want to reason about) has been encoded 
through the definition of prog. In particular, a logic pro- 
gram clause of the form Vx.((G x) D (A x}) would result, 
in the reasoning context, in the addition of a definitional 
clause Mx.prog (A x] (G x) = T that can be used by the 
seq predicate. To simplify notation, we write L lh P for 
3n.(nat n A seq n L P). When L is nil we write just h P. 

An example of a specification that we may wish to rea- 
son about is that of the typing rules for the simply typed 
A-calculus. These rules can be encoded using hereditary 
Harrop formulas as shown in Figure [6] that, in turn, would 
be reflected into definitional clauses for prog as described 
above. In these formulas, app and abs are the usual con- 
structors for application and abstraction in the untyped A- 
calculus. Note that no explicit context of typing assump- 
tions is used in these rules: rather the hypothetical judg- 
ment of hereditary Harrop formulas is used to keep track of 
such assumptions. This context is made explicit only when 
reasoning about this specification via the seq definition. 

Consider demonstrating the type uniqueness property for 
the simply typed A-calculus using the seq encoding. We can 
do this by showing that the formula 

Vm, t, 8.(11- (of m t)A lh (of m s)) D t = s, 

is a theorem: here, the binary predicate = is defined by 
the single clause \/x. x = x = T. We can prove this for- 
mula using an induction on natural numbers but, to do this, 
we must generalize it to account for the fact that the rule 
for typing abs that allows us to descend under abstractions 
enhances the atomic formulas assumed by seq. A suitably 
generalized form of the statement, then, is 

V£,m,t, s.(cntx£ A (of mi) M\\-(ofm a)) D f = s. 

Now, this formula is provable only if the definition of cntx 
ensures that if cntx I holds then I is of the form 

(of ci T\ ::...:: of ' c n T n :: nil), 
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cntx nil = T 

cntx (ofX A::L)= (VM, NX = app M N D J_) A 
(VM, B.X = abs B M D _L) A 
(VB. member (of X B) L D ±) A 
cntx L 

Figure 7. cntx in LG" 

cntx nil = T 
(Vx.cntx (of x A :: L)) = cntx L 

Figure 8. cntx in Q 

where c\ . . . c n are distinct nominal constants. The chal- 
lenge then, is in providing a definition of cntx which accu- 
rately describes this requirement. In particular, the defini- 
tion must ensure that the first arguments to of in the ele- 
ments of this list are nominal constants and not some other 
piece of syntax, and it must also ensure that each such con- 
stant is distinct from all others. 

In LG U , cntx can be defined by explicitly restricting each 
element of the context as shown in Figure|7] This definition 
checks that the first argument to of is a nominal constant 
by explicitly ruling out all other possibilities for it. Then, 
to ensure distinctness of arguments, the rest of the list is 
traversed using member. This definition is evidently com- 
plex and the complexity carries over also into the process of 
reasoning based on it. 

In Q we can give a direct and concise definition of cntx 
using V quantification in the head of a definition as is done 
in Figure [8] The occurrence of the V-bound variable x in 
the first argument of of codifies the fact that type assign- 
ments are only made for nominal constants. The uniqueness 
of such nominal constants is enforced by the quantification 
structure of cntx: the variable L cannot contain any occur- 
rences of x. With this definition of cntx, the generalized 
theorem of type uniqueness is provable. Use of defC on the 
hypothesis of cntx £ will allow only the possibility of type 
assignments for nominal constants, while use of defR, will 
verify that the contexts that are created in treating abstrac- 
tions align with the requirements imposed by the definition 
of cntx. 

Arbitrarily cascading substitutions Reducibility argu- 
ments, such as Tait's proof of normalization for the simply 
typed A-calculus ll32l . are based on judgments over closed 
terms. During reasoning, however, one is often working 
with open terms. To compensate, the closed term judgment 
is extended to open terms by considering all possible closed 



subst z nilTT = T 
(Vx.subst {s N) ((x, V) :: L) (T x) S) = 

subst N L(TV) S 

Figure 9. Arbitrary cascading substitutions 

instantiations of the open terms. When reasoning with Q, 
open terms are denoted by terms with nominal constants 
representing free variables. The general form of an open 
term is thus M c\ ■ ■ ■ c n , and we want to consider all pos- 
sible instantiations M V\ ■ ■ ■ V n where the Vi are closed 
terms. This type of arbitrary cascading substitutions is dif- 
ficult to realize in reasoning systems based on A-tree syntax 
since M would have an arbitrary number of abstractions. 

We can define arbitrary cascading substitutions in Q us- 
ing the unique structure of definitions. In particular, we can 
define a predicate which holds on a list of pairs (c,, V*), a 
term with the form M c\ ■ ■ ■ c n and a term of the form 
M Vi ■ ■ ■ V n . The idea is to iterate over the list of pairs 
and for each pair (c, V) use V in the head of a definition 
to abstract c out of the first term and then substitute V be- 
fore continuing. This is the motivation for subst defined in 
Figure [9] Note that we have also added a natural number 
argument to be used for inductive proofs. 

Given the definition of subst one may then show that ar- 
bitrary cascading substitutions have many of the same prop- 
erties as normal higher-order substitutions. For instance, in 
the domain of the untyped A-calculus, we can show that 
subst acts compositionally via the following lemmas. 

Vn, £, t, r, s.(nat n A subst n I (app t r) s) D 

3u, v.s = app u v A substn £ t u A subst n £ r v 

Vn, £, t, r.(nat n A subst n £ (abs t) r) D 

3s.r = abs s A Vz. substn £ (t z) (s z) 

Both of these lemmas have straightforward proofs: induct 
on n, use defC on the assumption of subst, apply the induc- 
tive hypothesis and use defR. to complete the proof. 

5. Related work 

Mechanized reasoning about structural operational se- 
mantic-style specifications of formal systems has received 
the attention of other researchers. Recent impetus for this 
kind of reasoning has been provided by a desire for com- 
puter verified proofs in the realm of programming lan- 
guage theory [2]. One line of research focuses on de- 
veloping proofs within the framework provided by an ex- 
isting and well-developed interactive theorem prover such 
as Coq and Isabelle/HOL J25). Many of the contexts 
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in which machine authenticated reasoning of this kind is 
needed deal with objects involving binding. Several pre- 
vious attempts have been characterized by the use of alge- 
braic datatypes, enhanced perhaps by a de Bruijn-like rep- 
resentation of bound variables, in the encoding of binding 
constructs. While some success has been achieved using 
this approach to object representation ifTUl [TT1 [38], it has 
also been noted that the real reasoning task is often over- 
whelmed under such an approach by the proofs of mundane 
binding and substitution oriented lemmas. 

The more natural and more promising approaches to the 
kind of reasoning of interest are the ones that provide spe- 
cial logic based treatments of binding such as is manifest in 
A-tree syntax. We discuss the main lines of research under 
this rubric below. 

Nominal logic based reasoning Nominal logic extends 
first-order syntax with primitives for treating variable names 
in such a way that a-equivalence classes are recognized 
||28ll . This considerably simplifies the treatment of bind- 
ing in specifications. In contrast to the approach underlying 
our work, no separate meta-logic has as yet been developed 
for reasoning about nominal logic descriptions. Reasoning 
about specifications written in this logic is instead realized 
by axiomatizing the primitives of the logic in a rich system 
such as Coq or Isabelle/HOL 0] [37]. This approach has 
proved successful for many applications. 

Aside from the absence of a meta-logic, the most promi- 
nent difference between the nominal logic based approach 
and our work is that we use A-tree syntax and thus obtain 
a comprehensive treatment of both a-equivalence and sub- 
stitution within the logic. The nominal logic approach does 
not provide any direct support for substitution, and instead 
requires substitution to be defined on a case-by-case basis. 
In reasoning, this means that various substitution lemmas 
need to be proved for each syntactic class over which sub- 
stitution is defined. Another difference worth noting is that 
we can derive freshness as a consequence of the nesting of 
quantifiers in an explicit definition of the fresh predicate, 
whereas nominal logic approaches either take freshness as 
primitive or define it in terms of set membership. 

Two-levels of logic McDowell & Miller Q3J [H ED ex- 
plored using a two-level approach to reasoning about, for 
example, the operational semantics and the typing of small 
programming languages. Both levels of logic shared the 
same A-tree approach to the treatment of (object-level and 
meta-level) binding: the object-logic was a simple second- 
order intuitionistic logic and the meta-logic was called 
FOA AIN . While FOA AIN contained inference rules for def- 
initions, it lacked the V-quantifier. As a result, the seq pred- 
icate could not be specified in the same direct fashion as it 
is in Figure [5] 

As we illustrated briefly in Section[4] replacing FOX AJN 
with Q strengthens the expressiveness of the meta-logic by 



allowing more declarative approaches to the specification of 
invariants for (object-level) contexts. As a result, many of 
the theorems that have been proved in FOX A1N |[T6l can be 
given much more understandable proofs in Q. 

Twelf Pfenning and Schrumann [31 1 also describe a two- 
level approach in which LF terms and types are used at the 
object-level and the logic M2 is used at the meta-level. 
Schriimann's PhD thesis 13011 further extended that meta- 
logic to one called A4^- This framework is realized in 
Twelf ll27l . which also provides a related style of meta- 
reasoning based on mode, coverage, and termination check- 
ing over higher-order judgments in LF. Their approach also 
makes use of A-tree syntax at both the object and meta- 
levels and goes beyond our proposal here in that they handle 
the complexities of dependent types and proof objects |9|. 
On the other hand, the kinds of meta-level theorems they 
can prove are different from what is available in Q. For ex- 
ample, implication and negation are not present in M. \ and 
cannot be encoded in higher-order LF judgments: hence, 
properties such as bisimulation for CCS or the 7r-calculus 
are not provable. 

A key component in A4% and in the higher-order LF 
judgment approach to meta-reasoning is the ability to spec- 
ify invariants related to the structure of meta-logical con- 
texts. These invariants are called regular worlds and their 
analogue in our system is judgments such as cntx which 
explicitly describe the structure of contexts. While the ap- 
proach to proving properties in Twelf is powerful and con- 
venient for many applications, one might prefer defining ex- 
plicit invariants, such as cntx, over the use of regular worlds, 
since this allows describing more general judgments over 
contexts, such as in the example of arbitrary cascading sub- 
stitutions where the subst predicate actively manipulates the 
context of a term. 

Implementation The first author has implemented a sig- 
nificant portion of Q in a recently released system called 
Abella [7]. This system provides an interactive tactics- 
based interface to proof construction. The primary focus 
of Abella is on reasoning about object-level specifications 
written in hereditary Harrop formulas: provability in that 
logic is provided by a definition similar to that of seq in 
Figure [5] Through this approach, Abella is able to take 
advantage of meta-level properties of the logic of heredi- 
tary Harrop formulas (e.g., cut and instantiation properties) 
while never having to reason outside of Q. 

Abella has been used in many applications, including all 
the examples mentioned in this paper. First-order results in- 
clude reasoning on structures such as natural numbers and 
lists. Taking advantage of A-tree syntax, application do- 
mains such as the simply typed A-calculus are directly ac- 
cessible. Particular results include equivalence of big-step 
and small-step evaluation, preservation of typing for both 
forms of evaluation, and determinacy for both forms of eval- 
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uation. More advanced results which make use of generic 
judgments for describing contexts include type uniqueness, 
disjoint partitioning of A-terms into normal and non-normal 
form, and the Church-Rosser theorem. Larger applications 
include challenges la and 2a of the POPLmark challenge 
0, a task which involves reasoning about the contexts of 
subtyping judgments for F <: , a A-calculus with bounded 
subtype polymorphism. Finally, we have formalized a proof 
of normalization for the simply-typed A-calculus based on 
Tait's reducibility argument |32|. This last example uses 
the formalization of arbitrarily cascading substitutions de- 
scribed Section[4] 

6. Future work 

We are presently investigating the extension of Q with 
a general treatment of induction over definitions as in the 
closely related logic Line ll33l . This extension would sim- 
plify many inductive arguments by obviating explicit mea- 
sures in induction; thus, natural numbers encoding compu- 
tation lengths would not be needed in the definitions of the 
element and subst predicates considered in Section|4]if we 
can induct directly on the unfolding of their definitions. An- 
other benefit of this approach to induction is that it has a 
naturally dual rule for coinduction over coinductive defini- 
tions. This rule has been found useful in Line, for example, 
in proving properties of systems such as the 7r-calculus. 

At a practical level, we are continuing to develop Abella 
as a theorem proving system and to explore its use in com- 
plex reasoning tasks. We expect to use Abella to provide 
more elegant proofs of the many meta-logical theorems 
found in |[T6l . which include cut-elimination theorems, type 
preservation, and determinacy of typing and evaluation. Fi- 
nally, if the previously mentioned work on coinduction is 
completed, Abella can be used to explore the role of generic 
definitions in a coinductive setting. 
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